From 7558c6995d8e89cef18aa92c558df46dc55e6a92 Mon Sep 17 00:00:00 2001 From: Kris Nuttycombe Date: Tue, 26 Jan 2021 14:31:47 -0700 Subject: [PATCH] Add signature digest algorithm for TZEs. --- zip-0244.rst | 21 +++++----- zip-0245.rst | 109 +++++++++++++++++++++++++++++++++++++++++---------- 2 files changed, 99 insertions(+), 31 deletions(-) diff --git a/zip-0244.rst b/zip-0244.rst index 8d8242d7..044369d1 100644 --- a/zip-0244.rst +++ b/zip-0244.rst @@ -252,7 +252,7 @@ The personalization field of this hash is set to:: T.4a.i: ``sapling_spends_compact_digest`` ....................................... -A BLAKE2b-256 hash of the field encoding of all nullifier field +A BLAKE2b-256 hash of the field encoding of all ``nullifier`` field values of Sapling shielded spends belonging to the transaction. The personalization field of this hash is set to:: @@ -330,12 +330,12 @@ The personalization field of this hash is set to:: Signature Digest ================ -A new per-input transaction digest algorithm that constructs a hash that may be signed -by a transaction creator to commit to the effects of the transaction. In the -case that the transaction consumes no transparent inputs, it should be possible -to just sign the transaction identifier produced by the ``TxId Digest`` algorithm. -In the case that transparent inputs are present, this algorithm follows closely -the ZIP 143 [#zip-0143]_ algorithm. +A new per-input transaction digest algorithm is defined that constructs a hash that may be +signed by a transaction creator to commit to the effects of the transaction. In the case +that the transaction consumes no transparent inputs, it should be possible to just sign +the transaction identifier produced by the ``TxId Digest`` algorithm. In the case that +transparent inputs are present, this algorithm follows closely the ZIP 143 [#zip-0143]_ +algorithm. The overall structure of the hash is as follows; each name referenced here will be described in detail below: @@ -495,7 +495,7 @@ A BLAKE2b-256 hash of the following values :: The personalization field of this hash is set to:: - "ZTxAuth_____Hash" (5 underscore characters) + "ZTxAuthHash_" || CONSENSUS_BRANCH_ID 1: ``transparent_scripts_digest`` ````````````````````````````````` @@ -508,8 +508,9 @@ The personalization field of this hash is set to:: 2: ``sprout_auth_digest`` ``````````````````````````` -A BLAKE2b-256 hash of the field encoding of the zkproof values of each -``JSDescription`` belonging to the transaction. +A BLAKE2b-256 hash of the field encoding of the ``zkproof`` values of each +``JSDescription`` belonging to the transaction, followed by the +``joinsplit_pubkey`` and ``joinsplit_sig``. * 2a. ``zkproofs`` (field encoding bytes) * 2b. ``joinsplit_pubkey`` diff --git a/zip-0245.rst b/zip-0245.rst index 33a5cf89..1ac97578 100644 --- a/zip-0245.rst +++ b/zip-0245.rst @@ -31,16 +31,16 @@ TxId Digest The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and ``sapling_digest`` -are as in ZIP 244. +are as in ZIP 244:: -txid_digest -├── header_digest -├── transparent_digest -├── tze_digest -│   ├── tzein_digest -│   └── tzeout_digest -├── sprout_digest -└── sapling_digest + txid_digest + ├── header_digest + ├── transparent_digest + ├── tze_digest + │   ├── tzein_digest + │   └── tzeout_digest + ├── sprout_digest + └── sapling_digest ``txid_digest`` ``````````````` @@ -89,19 +89,86 @@ The personalization field of this hash is set to:: "ZTxIdTzeOutsHash" -Witness Digest --------------- +Signature Digest +---------------- -The tree of hashes defined by ZIP 244 [#zip-0244]_ is re-structured to include a new -branch for TZE hashes. The ``tze_digest`` branch is the only new addition to the -tree; ``transparent_digest``, ``sprout_digest``, and ``sapling_digest`` -are as in ZIP 244. +The signature digest creation algorithm defined by ZIP 244 [#zip-0244]_ is modified to +include a new branch for TZE hashes. The ``tze_digest`` branch is the only new addition +to the tree; ``header_digest``, ``transparent_digest``, ``sprout_digest``, and +``sapling_digest`` are as in ZIP 244:: -auth_digest -├── transparent_scripts_digest -├── tze_witnesses_digest -├── sprout_sigs_digest -└── sapling_sigs_digest + signature_digest + ├── header_digest + ├── transparent_digest + ├── tze_digest + │   ├── tzein_digest + │   └── tzeout_digest + ├── sprout_digest + └── sapling_digest + +``signature_digest`` +-------------------- +A BLAKE2b-256 hash of the following values :: + + * S.1: ``header_digest`` (32-byte hash output) + * S.2: ``transparent_digest`` (32-byte hash output) + * S.3: ``tze_digest`` (32-byte hash output) + * S.4: ``sprout_digest (32-byte hash output) + * S.5: ``sapling_digest (32-byte hash output) + +The personalization field of this hash is set to:: + + "ZcashTxHash_" || CONSENSUS_BRANCH_ID + +This value must have the same personalization as the top hash of the transaction +identifier digest tree, in order to make it possible to sign the transaction id +in the case that there are no transparent inputs. + +S.1: ``header_digest`` +````````````````````````` +Identical to that specified by S.1 in ZIP 244 + +S.2: ``transparent_digest`` +``````````````````````````` +Identical to that specified by S.2 in ZIP 244 + +S.3: ``tze_digest`` +````````````````````````` +This digest is a BLAKE2b-256 hash of the following values of the TZE +input being signed:: + + * S.3a. ``prevout_digest`` (field encoding bytes) + * S.3b. ``extension_id`` (CompactSize field encoding) + * S.3c. ``mode`` (CompactSize field encoding) + * S.3d. ``payload`` (arbitrary bytes) + * S.3e. ``value`` of the output spent by this input (8-byte little endian) + +The personalization field of this hash is set to:: + + "Zcash__TzeInHash" + +S.4: ``sprout_digest`` +````````````````````````` +Identical to that specified by S.3 in ZIP 244 + +S.5: ``sapling_digest`` +````````````````````````` +Identical to that specified by S.4 in ZIP 244 + + +Authorizing Data Commitment +--------------------------- + +The tree of hashes defined by ZIP 244 [#zip-0244]_ for authorizing data commitments is +re-structured to include a new branch for TZE hashes. The ``tze_digest`` branch is the +only new addition to the tree; ``transparent_digest``, ``sprout_digest``, and +``sapling_digest`` are as in ZIP 244:: + + auth_digest + ├── transparent_scripts_digest + ├── tze_witnesses_digest + ├── sprout_sigs_digest + └── sapling_sigs_digest ``auth_digest`` ``````````````` @@ -117,7 +184,7 @@ The personalization field of this hash is unmodified from ZIP 244. 2: ``tze_witnesses_digest`` ``````````````````````````` -A BLAKE2b-256 hash of the field encoding of the witness data associated +A BLAKE2b-256 hash of the field encoding of the witness ``payload`` data associated with each TZE input belonging to the transaction. The personalization field of this hash is set to::